Hey Tumblr, WTH Were You Thinking?

<Read in the voice of Don LaFontaine…> In a world, where spam and phishing attacks run rampant; where users are beaten in the cafeteria by sysadmins for nothing more than the crime of clicking on a link; where some companies are even considering abandoning email entirely…one company, one visionary, has the nerve to do what no other company will. This company, this inspiration to us all, sends an email with an urgent call to action, and a button to click. Where one man is willing to invoke the wrath of countless email and security sysadmins by sending an email out urging users to “just hit this button” but if they don’t, “within two weeks {we’ll just give your stuff away}… “ one defiant blogger is willing to stand up and say “no more.”

Well, not really, but I am willing to stand up (seriously, I have a standing desk!) and type “Hey Tumblr, what the hell were you thinking?”

If you are an email sysadmin, you know that the worst thing any one of your users can do is click on a link in an email they shouldn’t have. You spend significant portions of your IT budget on anti-spam/anti-phishing/anti-malware filtering solutions to try to stop the bad things from getting into your users’ inboxes. And you spend almost as many hours training your users on how to identify phishing as you do cleaning up after them when they fail to do so and give away the goods.

All day, every day, bad guys try their level-best to impersonate legitimate services, so the last thing we need is a legitimate service impersonating the bad guys, but that is EXACTLY what Tumblr did.

Having a somewhat uncommon name, it’s rare for me to try to sign up for any new service and find that my “username” has already been taken, but I have seen it happen often enough that I know how disappointing it can be. I would hate to go around as cmanes73 when I really just want to be casper. So I applaud Tumblr for looking at all its inactive accounts to see if there are some names that it can release back into the wild so someone else can use them. Seriously, that is a good thing. I wish Google would take a hint from this. But Tumblr had a really bad implementation of a really good idea.

Think about it. What are the most common indicators of a phishing attack?

An unexpected email

An embedded link

A call for action

An implied penalty for inaction

Bad grammar

Have a look at this email I got from Tumblr earlier this week.

An unexpected email-CHECK

An embedded link-CHECK

A call for action-CHECK

An implied penalty for inaction-CHECK

Bad grammar-nope…they at least know how to spellcheck and use good grammar.

Still, four out of five dentists agree…this smells like a phishing scam. If you were to mouse over the button, you would see a URL that looks a little like this.

Yes, that URL is so long I cannot even mouse over it to check it out. Copying the shortcut and pasting it into a text editor shows it to be this (with just a handful of characters changed).

So, it does look somewhat legitimate, but how can you be sure? I mean, really, what the heck does all that mean? The only way to find out was to click the link, which is exactly what I would beat an end user for doing! But heck, this is for my readers… so I did. Well, not exactly. I opened the link in a browser on a sandboxed VM that had no access to anything, and wasn’t even persistent! Gotta love those bootable Linux ISOs and Virtualbox! As a result, I have no screenshot to show you, but son of a gun, it basically looked like a Tumblr page, had a tumblr SSL cert, and the ip.addr mapped back to Tumblr. The only problem? It wanted me to enter my username and my password to verify my account! So then what the heck were those 477 characters in the link supposed to mean?!!?

So, obviously the good folks at Tumblr have an understanding of what phishing is, since they warn users about entering their Tumblr creds elsewhere. I bet those folks and the inactive account validation team probably play against one another at the Yahoo corporate picnic softball game.

Seriously though Tumblr, and every other social network and Internet connected service provider out there. It’s great that you want to do spring cleaning on your user accounts database. It’s appreciated that you want to return unused usernames to the pool, especially since so many were probably grabbed up by someone squatting on them in the hopes they might make a buck or two. But use some common sense next time. Don’t embed a link. Don’t have that link go to a page that asks for creds. Either do a link that is clear and simply validates the account without further action, or direct the user to go logon their blog or your homepage (either way, no link!) and have them log on to confirm. When sysadmins spend uncountable hours and energy telling users “never do this!” and then you do something that makes us have to say “well, okay, except this time, but just this one!” you aren’t really helping anybody!

And if you are the sysadmin for a company that provides services to consumers or other businesses or even your own internal users, take heed to the above. Don’t do things that make you look like the phishing attackers you’re trying to protect against!